The National Computer and Cybercrime Coordination Committee (NC4) Taskforce has received inquiries, opinions, proposals, and recommendations from various stakeholders, including financial institutions, health, and academia, during the Critical Information Infrastructure (CII) and Cyber Crime Management Draft Regulations Public Participation Exercise.
As the exercise enters its third day, the Task Force’s aim is to inform the public of the Computer Misuse and Cybercrimes (Critical Information Infrastructure and Cybercrime Management) Draft Regulations, 2023, established under the Computer Misuse and Cybercrimes Act 2018 (CMCA), Sections 4 and 5.
The Taskforce Head of Cybersecurity, Policy, and Strategy, Dr. David Njoga, stated that NC4’s mandate is to coordinate national cybersecurity matters to enable timely and effective management of computer misuse and cybercrime in Kenya.
He disclosed that cyberspace has emerged as the fifth-largest strategic space for socioeconomic development and Security driven by increased connectivity and wide adoption of digital technologies, cyberspace has become a new nervous system supporting the delivery of vital services, i.e., GoK, businesses, health, schools, and banking.
However, Njoga posited that criminals use this environment to commit crimes, steal money and information, disrupt critical services, conduct fraud, undermine institutions, and cause political unrest.
He therefore emphasised that the development of a safe and secure cyberspace ecosystem requires a robust policy, legal, and regulatory framework that is strategically supported and resourced.
“The Computer Misuse and Cybercrimes Act 2018 (CMCA) provides for offences relating to computer systems to enable timely and effective detection, prohibition, prevention, response, investigation, and prosecution of computer and cybercrimes.
Njoga reminded the stakeholders that the CMCA 2018 Regulations Taskforce (inaugurated on February 14 and gazetted on May 23) was tasked with coming up with regulations that will put into effect this law.
Meanwhile, the Kenya Bankers Association of Kenya (KBA), representing 47 financial institutions across the country, agreed that the intent of the regulations is to coordinate the various players in the cybersecurity ecosystem in the country; nevertheless, a number of proposals created structures or responsibilities in the Taskforce that are either duplicating or inconsistent with existing structures.
KBA observed that a number of organisations and institutions have already invested in Security Operations Centres (SOCs) and therefore proposed that the regulations be modified to either provide for the creation of SOCs where there are none and develop mechanisms for sharing intelligence between existing SOCs with the Taskforce to enable it to leverage existing infrastructure and strengthen areas that need to.
On the National Public Private Key Infrastructure (PKI), which already has a Root Certificate Authority with a regulatory mechanism for Certificate Authorities and Registration Authorities, the Association was of the view that the creation of a bridge for PKIs is a duplication of the existing National PKI, which it termed unnecessary.
KBA insisted that the current mechanism for reporting cybersecurity incidents (the National CIRT) should be leveraged by the Taskforce to collect and report all incidents and trends, as well as offer guidance on what actions the various financial sector CIRTs take to improve the cybersecurity landscape.
“This would remove the need to develop parallel structures of incidence reporting and reduce the burden on stakeholders,” stressed Geoffrey Kobanga, a representative from KBA.
The stakeholders reiterated that Kenya, bursting with a very robust IT environment and housing players from institutions and academia who conduct training and capacity building in cybersecurity areas, should not conflict with existing duplicate regulations.
They believe that the Task Force’s role is to advise on these areas and facilitate special skills it deems necessary for national security and protection of critical infrastructure, either by leveraging local institutions or arranging for specialised trainers from the international market.
The stakeholders consider maintaining a register of institutions domiciled in Kenya potentially harmful to the financial, education, and health industries by curtailing research activities and innovation, limiting the rights of employers, employees, and foreign experts to engage, and also slowing time-critical activity if there is a need for foreign experts to deliver critical responses but are not in the Task Force’s database.
They appealed to the Taskforce to address their concerns to ensure that regulations can be implemented with the least burden to stakeholders, both in the cost of the structures to the economy and also in the compliance costs for all the stakeholders impacted by the act.
By Michael Omondi